On 21 March 2006, Jack Dorsey sent the first ever Twitter message or ‘tweet’ with five simple words “just setting up my twttr”. Five years later, 140 million tweets are sent in a host of different languages every day via the micro-blogging service which boasts over 200 million registered users worldwide and is valued at an estimated $7.7 billion following an auction of shares in March 2011.
Although Twitter’s 100 million messages a day may seem paltry compared to the roughly 66 billion email messages sent each day on average in March 2011 before the Rustock botnet was disrupted; (52 billion of which were spam). The prolific growth of micro-blogging platforms has not escaped the attention of cybercriminals who are constantly on the lookout for new and innovative ways to capitalise on the latest emerging technology to try and trick internet users into clicking on malicious links.
I can just about remember a time when tweeting was something only ever associated with our feathered friends, but social networking and micro-blogging has now become part of the mainstream and as such has become an attractive ecosystem for cybercriminals target when trying to ‘mix it up’ and catch internet users off guard. Rather than continually rely on email to get their messages across, cyber criminals sometimes changes tack and often seek to exploit these newer communication channels, potentially affecting large numbers of users in a short space of time.
Also synonymous with the rise of Twitter and other social networking websites has been the rise of URL shortening services, such as Bit.ly or TinyURL.com. Although these are not a new phenomenon, the need to be so economical with text in a 140 character message has boosted their popularity and the number of new shortening services in circulation is growing each day.
Figure 1 - Table showing most frequently used URL shortening services in spam between 2009 and 2010
URL shortening has also become a tool for cybercriminals to disguise malicious links from users. In 2010, according to the MessageLabs Intelligence 2010 Annual Security Report (pdf), in the second quarter of 2010, spam containing shortened hyperlinks hit a one day peak of 18 percent of all spam (23.4 billion spam emails) on April 30, 2010; doubling the previous year’s peak levels when spam with shortened hyperlinks accounted for 9.3 percent of all spam (more than 10 billion spam emails) on July 28, 2009.
Figure 2 - Chart showing increased use of URL shortening services in spam emails
In addition to higher peak levels, average daily values also show a significant increase in use of the tactic (pdf). There were 43 days when at least 1 in 200 spam messages contained shortened hyperlinks and 10 days where at least 5% of all spam contained these links. By the end of 2010, approximately 3% of spam made use of URL shortening services.
In our predictions for 2011, we identified URL shortening as a potential outlet for more sophisticated attacks particularly if a criminal enterprise gains control of a significant URL shortening service, or sets up a service that appears legitimate. The five year anniversary of the first tweet is an opportunity for us to remind internet users be wary when clicking on random links sent out by unfamiliar users and to, as Twitter strongly encourages, report spam links immediately thereby allowing them to be quickly shut down.